cb4a0d555233f1ffa56170a3559fb33cc22053d6fef7a5dff245ac1970db93b4

Resubmissions

01-07-2024 03:03

240701-dkfftsxflm 6

01-07-2024 02:56

240701-dffwssxemm 7

01-07-2024 02:51

240701-db8e9axdnn 6

01-07-2024 02:44

240701-c8aptatemd 6

Analysis

max time kernel
290s
max time network
255s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

folder-4/4/777.pdf
Size

5.7MB
MD5

4177fbfe03075bace0b1b86444bf24bf
SHA1

802ca6fd560d8c2dc5d43a49cc29a2bedb4e13ca
SHA256

ae08d188a5c463b9d90aead76d8ad7703dd6d79578e40517b69dc38821a045a3
SHA512

277f15669df62d4e2b75780bb152c96ad0b4992dcc54f6c4384d0119d5a3a1b6bed549f44e6656add3fa44dc37b195a438c39b84ffc137e47fa41315f61a2f6e
SSDEEP

24576:+/KF/KU/Kk/Kw/KU/KE/KZ/Ka/Kp/KP/KW/KY/KS/KC/KD/Kn/K6/Ki/KK/KT/KD:3k

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

AcroRd32.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3864 AcroRd32.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exe

pid process

3864 AcroRd32.exe
3864 AcroRd32.exe
3864 AcroRd32.exe
3864 AcroRd32.exe
3864 AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

pid	process
3864	AcroRd32.exe

pid	process
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe
3864	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3864 wrote to memory of 4016	3864	AcroRd32.exe	RdrCEF.exe
PID 3864 wrote to memory of 4016	3864	AcroRd32.exe	RdrCEF.exe
PID 3864 wrote to memory of 4016	3864	AcroRd32.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 1848	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe
PID 4016 wrote to memory of 916	4016	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\folder-4\4\777.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BFEE5953176594AAAC7F40F52F420DF4 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1848

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9E6F464DA6604CA628F161D26B84F893 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9E6F464DA6604CA628F161D26B84F893 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
3⤵
PID:916

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DC750D6C5454E44C1E1AC5E66CF79D2A --mojo-platform-channel-handle=2308 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2612

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E2C3F436A8D16F40DDD1B51868472F95 --mojo-platform-channel-handle=1844 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4964

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2FAA7D90B4FEC8A1A867D128D03F8358 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2FAA7D90B4FEC8A1A867D128D03F8358 --renderer-client-id=6 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2508

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AC585B63148716C6F08493CB9482DC6B --mojo-platform-channel-handle=1828 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:64

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
e994610a445ceda839cc6743a3911af4

SHA1
781399d9c2627c2008eca23a1c6adcf0a4713bf4

SHA256
a00649c6cc4d511d74f2317c8cee04cc356a662857fddf799f8ad5313c587103

SHA512
1b8c9a804dbdafcb71ff938c0c45f9789d39a282b730cdd274d080f945c366003c258d494c07325e750e0ed7a5b582b76f8a838fd2b737c5e6a2bb28abc83418

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
Filesize
64KB

MD5
572126cadd0ef2251582bbf1e177c173

SHA1
7358331f8969a71037cb5c4d679fcaef07939c85

SHA256
2d182ad5a59bcaad477fb85306e282874ad175bda22b75207332ae16d2c641bb

SHA512
92707467b97b47483bff3b0445de22b7738d433e43dedfed5cfea54c1c6da46f1027d47afe3fb6e10ef09207b8fbb6088bb8e474dea52b639b1a9b8b35fa453c

Download Submit